Beruflich Dokumente
Kultur Dokumente
DNS Services
F5 Networks, Inc.
2
Contents:
1 Lab Environment 5
3
2.7 URL Categorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
2.7.1 Create an iRule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
2.7.2 iRule assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
2.7.3 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
3 Credits 95
4
1
Lab Environment
5
6
7
8
9
10
Class 2 - Advanced GSLB
2
The lab environment consists of a Lan of workstations in a remote location with internal DNS servers behind
an F5 firewall.
The F5 device is directly connected to the internet.
Students will work with the following concepts as part of a group of lab exercises.
1. Transparent Cache
11
2. Hidden Master
3. DNSSec
4. Validating Resolver
5. RPZ
6. URL Categorization
2.1.1 Monitors
A DNS application specific health monitor provides intelligence in the steering DNS queries towards the
fastest responding DNS server.
12
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/monitor/list.jsp
Create a monitor according to the following table:
Setting Value
Name example.com_dns_monitor
Type DNS
Query Name www.example.com
13
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/monitor/create.jsp
TMSH
tmsh create ltm monitor dns example.com_dns_monitor defaults-from dns qname www.example.com
Augment and scale an existing DNS infrastructure by Load Balancing DNS queries across a pool of DNS
servers.
Navigate to: Delivery : Load Balancing : Pools : Pool List
14
Create a pool according to the following table:
Setting Value
Name branch01_dns_pool
Health Monitors example.com_dns_monitor
dc01.branch01.example.com_node
1. Node Name
10.1.70.200
1. Address
53
1. Service Port
dc02.branch01.example.com_node
2. Node Name
10.1.70.210
2. Address
53
2. Service Port
15
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/pool/create.jsp
TMSH
tmsh create ltm pool branch01_dns_pool members add { dc01.branch01.example.com_node:53 { ad-
dress 10.1.70.200 } dc02.branch01.example.com_node:53 { address 10.1.70.210 } } monitor exam-
16
ple.com_dns_monitor
2.1.3 Results
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/pool/list.jsp
2. Click to select “branch01_dns_pool”, and then select “Members”
17
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/pool/resources.jsp?name=
/Common/branch01_dns_pool
3. Notice the health status of the existing DNS infrastructure.
18
TMSH
tmsh show ltm pool branch01_dns_pool detail
19
In this module we will prepare the objects required to build a transparent cache.
In the next exercise a DNS profile will reference the cache and a Listener will forward traffic to a healthy
backend DNS server
20
Enabling a transparent cache on the BIG-IP will offload some DNS queries from being sent to the internal
DNS servers.
21
Log into the gateway device router01.brancho1 in the branch office
Navigate to DNS ›› Caches : Cache List
Create a transparent cache
Setting Value
Name transparent_cache
Resolver Type Transparent
22
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/cache/create.jsp
TMSH command for router01.branch01:
TMSH
tmsh create ltm dns cache transparent transparent_cache
2.2 Listeners
A listener object is an specialized virtual server that is configured to respond to DNS queries.
We will be creating both TCP and UDP based listeners that have the same IP address of the existing DNS
server.
Note: the Workstation is configured to use 10.1.70.200 and 10.1.70.210 for DNS.
After this module students will have enabled the BIG-IP to intercept and cache DNS requests.
23
2.2.1 Log Profile
24
Create a local syslog publisher as shown in the table below:
Setting Value
Name local-syslog-publisher
Destinations local-syslog
25
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/system/log/create_publisher.jsp
TMSH
tmsh create sys log-config publisher local-syslog-publisher { destinations add { local-syslog { } } }
26
Create a DNS logging profile as shown in the table below:
Setting Value
Name example_dns_logging_profile
Log Publisher local-syslog-publisher
Log Responses enabled
Include Query ID enabled
27
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/locallb/profile/dns_log/create.jsp
TMSH
tmsh create ltm profile dns-logging example_dns_logging_profile enable-response-logging yes
include-query-id yes log-publisher local-syslog-publisher
A DNS profile will control which features are enabled as part of processing a query.
Navigate to: DNS ›› Delivery : Profiles : DNS
28
Create a DNS profile as shown in the table below.
Setting Value
Name example.com_dns_profile
DNS Cache Enabled
DNS Cache Name transparent_cache
Use BIND Server on Big-IP Disabled
Logging Enabled
Logging Profile example_dns_logging_profile
AVR statistics Sample Rate Enabled, 1/1 queries sampled
29
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/locallb/profile/dns/create.jsp
30
TMSH
tmsh create ltm profile dns example.com_dns_profile { avr-dnsstat-sample-rate 1 cache transparent_cache
defaults-from dns enable-cache yes enable-logging yes log-profile example_dns_logging_profile use-local-
bind no }
A UDP profile controls the way the platform processes UDP traffic.
Navigate to: DNS ›› Delivery : Profiles : Protocol : UDP
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/profile/udp/list.jsp
Create a UDP profile as shown in the following table.
Setting Value
Name example.com_udp-dns_profile
Parent Profile udp_gtm_dns
31
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/profile/udp/create.jsp
TMSH
tmsh create ltm profile udp example.com_udp-dns_profile defaults-from udp_gtm_dns
A TCP profile controls the way the platform processes TCP traffic.
Navigate to: DNS ›› Delivery : Profiles : Protocol : TCP
32
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/profile/tcp/list.jsp
Create a TCP profile as shown in the following table.
Setting Value
Name example.com_tcp-dns_profile
Parent Profile f5-tcp-lan
33
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/profile/tcp/create.jsp
TMSH
tmsh create ltm profile tcp example.com_tcp-dns_profile defaults-from f5-tcp-lan
34
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/listener/list.jsp
Create two UDP listeners according to the tables below:
Setting Value
Name DC01_udp_53_virtual
Destination Address 10.1.70.200
Service Port DNS 53
VLAN and Tunnel Traffic -> Enabled on.. branch01_vlan
Protocol UDP
Protocol Profile (Client) example.com_udp-dns_profile
DNS Profile example.com_dns_profile
Default Pool branch01_dns_pool
Setting Value
Name DC02_udp_53_virtual
Destination Address 10.1.70.210
Service Port DNS 53
VLAN and Tunnel Traffic -> Enabled on.. branch01_vlan
Protocol UDP
Protocol Profile (Client) example.com_udp-dns_profile
DNS Profile example.com_dns_profile
Default Pool branch01_dns_pool
35
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/locallb/virtual_server/create.jsp
TMSH
36
tmsh create gtm listener DC01_udp_virtual address 10.1.70.200 port 53 ip-protocol udp pool
branch01_dns_pool profiles add { example.com_dns_profile example.com_udp-dns_profile } vlans add {
branch01_vlan } vlans-enabled
TMSH
tmsh create gtm listener DC02_udp_virtual address 10.1.70.210 port 53 ip-protocol udp pool
branch01_dns_pool profiles add { example.com_dns_profile example.com_udp-dns_profile } vlans add {
branch01_vlan } vlans-enabled
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/listener/list.jsp
Create two TCP listeners according to the table below:
37
Setting Value
Name DC01_tcp_53_virtual
Destination 10.1.70.200
Service Port DNS 53
VLAN and Tunnel Traffic -> Enabled on.. branch01_vlan
Protocol TCP
Protocol Profile (Client) example.com_tcp-dns_profile
DNS Profile example.com_dns_profile
Pool branch01_dns_pool
Setting Value
Name DC02_tcp_53_virtual
Destination 10.1.70.210
Service Port DNS 53
VLAN and Tunnel Traffic -> Enabled on.. branch01_vlan
Protocol TCP
Protocol Profile (Client) example.com_tcp-dns_profile
DNS Profile example.com_dns_profile
Pool branch01_dns_pool
38
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/listener/create.jsp
TMSH
39
tmsh create gtm listener DC01_tcp_virtual address 10.1.70.200 port 53 ip-protocol tcp pool
branch01_dns_pool profiles add { example.com_dns_profile example.com_tcp-dns_profile } vlans add {
branch01_vlan } vlans-enabled
TMSH
tmsh create gtm listener DC02_tcp_virtual address 10.1.70.210 port 53 ip-protocol tcp pool
branch01_dns_pool profiles add { example.com_dns_profile example.com_tcp-dns_profile } vlans add {
branch01_vlan } vlans-enabled
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-dns-cache-implementations-11-3-0/
2.html
2.2.7 Results
1. From the jumpbox open a command prompt, perform several recursive queries to your new listener to
test.
Repeat some of the same queries multiple times
dig www.f5.com
dig www.wikipedia.org
dig www.ncsu.edu
dig www.example.com
40
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/cache/properties.jsp?name=
%2FCommon%2Ftransparent_cache
Navigate to: Statistics ›› Module Statistics : DNS : Caches ›› Caches
41
Navigate to: Statistics ›› Module Statistics : DNS : Caches ›› Caches : transparent_cache
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/cache/stats_detail.jsp?name=
/Common/transparent_cache
TMSH
tmsh show ltm dns cache records rrset cache transparent_cache
TMSH
show ltm dns cache transparent transparent_cache
42
Navigate to Statistics > Module Statistics > DNS > Caches
Set “Statistics Type” to “Caches”.
Select the cache and click “Clear Cache” to empty the cache.
The internal DNS servers are authoritative for example.com so we need to slave the zone to the BIG-IP.
After this module is complete the BIG-IP will become an authoritative slave.
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/dns-services-implementations-11-6-0/
2.html#unique_1658664851
Define the Active Directory server as a nameserver and initiate a zone transfer.
Navigate to DNS ›› Delivery : Nameservers : Nameserver List
43
Create a nameserver according to the following table:
Setting Value
Name dc01.example.com
Address 10.1.70.200
44
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/nameserver/create.jsp
TMSH
tmsh create ltm dns nameserver dc01.example.com { address 10.1.70.200 }
The zone example.com is served from the high performance authoritative resolver.
Navigate to DNS ›› Zones : Zones : Zone List
45
Create a DNS Express zone according to the following table:
Setting Value
Name example.com
Server dc01.example.com
Allow NOTIFY From 10.1.70.200
46
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/zone/create.jsp
TMSH
tmsh create ltm dns zone example.com { dns-express-allow-notify add { 10.1.70.200 } dns-express-notify-
tsig-verify no dns-express-server dc01.example.com }
https://support.f5.com/kb/en-us/products/big-ip-dns/manuals/product/bigip-dns-services-implementations-12-1-0/
1.html#guid-977cd16a-5d12-4b1e-964c-5d8206f647ed
2.3.3 Results
The BIG-IP will now be an authoratative slave for the example.com zone. This protects the master as well
as increases performance utilizing the BIG-DNS delivery engine.
1. Click on the newly created DNS Express zone and make sure it is showing green for ‘Available’
indicating that the initial AXFR transfer was successful.
47
2. Using putty from the taskbar, log in to router01.branch01.example.com.
Run the following command to see the contents of the DNS Express database:
dnsxdump | less
2.4 DNSSec
48
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/dns-services-implementations-11-6-0/
2.html#unique_1658664851
Setting Value
Name example.com_zsk
Type Zone Signing Key
Key Management Manual
Certificate default.crt
Private Key default.key
49
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/dnssec_key/create.jsp
TMSH
tmsh create ltm dns dnssec key example.com_zsk key-type zsk certificate-file default.crt key-file default.key
50
Create a key signing key according to the following table:
Setting Value
Name example.com_ksk
Type Key Signing Key
Key Management Manual
Certificate default.crt
Private Key default.key
51
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/dnssec_key/create.jsp
TMSH commands for Key Signing key creation:
TMSH
tmsh create ltm dns dnssec key example.com_ksk key-type ksk certificate-file default.crt key-file default.key
52
https://router01.branch01.example.com/tmui/Control/form?__handler=/tmui/dns/dnssec_zone/list&__
source=delete_confirm&__linked=false&__fromError=false
Create DNS Express zone signed by DNSSEC
Setting Value
Name example.com
Zone Signing Key example.com_zsk
Key Signing Key example.com_ksk
53
TMSH commands for DNSSEC signed zone creation:
TMSH
tmsh create ltm dns dnssec zone example.com keys add { example.com_ksk example.com_zsk }
2.4.4 Results
54
2.5 Validating Resolver
TMSH
dig dnskey . | grep 257 > /root/dnskey.txt
dnssec-dsfromkey -f /root/dnskey.txt .
55
Navigate to: DNS ›› Caches : Cache List ›› validating-resolver_cache : Trust Anchors
Select the validating-resolver_cache and click “Trust Anchors”
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/cache/trust_anchor/list.jsp?name=
56
%2FCommon%2Fvalidating-resolver_cache&tab=dns_cache_validating_config
For each line of output from the preceding command create a “Trust Anchor”
57
1 tmsh modify ltm dns cache validating-resolver validating-resolver_cache trust-anchors
˓→replace-all-with { ". IN DS 19036 8 1 B256BD09DC8DD59F0E0F0D8541B8328DD986DF6E" ".
˓→E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D" }
58
2.5.2 Modify DNS Profile
In order to activate the new “Validating Resolver”, modify the DNS profile example.com_dns_profile.
Navigate to: DNS ›› Delivery : Profiles : DNS
59
60
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/profile/dns/properties.jsp?name=
/Common/example.com_dns_profile
TMSH
tmsh modify ltm profile dns example.com_dns_profile cache validating-resolver_cache
2.5.3 Results
61
From the Workstation CMD prompt run: “dig dnssec-deployment.org +dnssec”
62
From the Workstation CMD prompt run: “dig dnssec-failed.org +dnssec”
63
http://www.internetsociety.org/deploy360/resources/dnssec-test-sites/
Configure a validating resolver cache on the BIG-IP® system to recursively query public DNS servers,
validate the identity of the DNS server sending the responses, and then cache the responses.
After completing this lab students will entirely offload DNS queries from internal masters.
64
65
Navigate to DNS ›› Caches : Cache List
66
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/cache/list.jsp
Create a validating resolver cache according to the table below:
Setting Value
Name validating-resolver_cache
Resolver Type Validating Resolver
Answer default zones Checked - Enabled
67
68
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/cache/create.jsp
TMSH
tmsh create ltm dns cache validating-resolver validating-resolver_cache answer-default-zones yes
https://support.f5.com/kb/en-us/products/big-ip-dns/manuals/product/bigip-dns-services-implementations-12-1-0/
7.html#guid-d4548549-b4e2-4dae-9ada-3ea00eb84c1f
2.6 RPZ
Response Policy Zone will be turned on to stop clients from trying to resolve blacklisted domains.
https://support.f5.com/kb/en-us/products/big-ip-dns/manuals/product/bigip-dns-services-implementations-12-1-0/
8.html
69
Navigate to DNS ›› Zones : ZoneRunner : Zone List
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/globallb/zfd/zone/create.jsp
Setting Value
View Name external
Zone Name rpz.example.com
Zone Type Master
Zone File Name db.external.rpz.example.com
Options also-notify { ::1 port 5353; };
TTL 300
Master Server router01.branch01.example.com.
Email Contact hostmaster.example.com.
NS Record: TTL 300
NS Record: Nameserver router01.branch01.example.com.
Create A Record Checked - Enabled
A Record: IP Address 10.1.71.1
70
Navigate to: DNS ›› Zones : ZoneRunner : Resource Record List
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/globallb/zfd/record/create.jsp
71
Create a resource record according to the following table:
Setting Value
View Name external
Zone Name rpz.example.com
Name *.guns.com.rpz.example.com.
TTL 300
Type CNAME
CNAME .
72
2.6.2 Name Server
73
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/nameserver/list.jsp
Create a nameserver according to the following table:
Setting Value
Name localhost
74
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/nameserver/create.jsp
TMSH
tmsh create ltm dns nameserver localhost { address 127.0.0.1 tsig-key none }
75
Create a DNS Express zone according to the following table:
Setting Value
Name rpz.example.com
Server localhost
Allow NOTIFY From 127.0.0.1
Response Policy checked
76
TMSH
tmsh create ltm dns zone rpz.example.com { dns-express-server localhost response-policy yes dns-
express-allow-notify add { 127.0.0.1 } dns-express-notify-tsig-verify no }
77
Select validating-resolver_cache, click “Local Zones”, and click “Add”
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/cache/local_zone/list.jsp?name=
%2FCommon%2Fvalidating-resolver_cache&tab=dns_cache_config
78
Create a local zone entry according to the following table:
Setting Value
Name sorry.example.com
Type Static
Records sorry.example.com. IN A 10.1.71.21
˓→static } }
79
2.6.5 Walled Garden
Select validating-resolver_cache, click “Response Policy Zones”, and then click “Add”
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/cache/rpz/list.jsp?name=
%2FCommon%2Fvalidating-resolver_cache&tab=dns_cache_config
80
Create a local zone entry according to the following table:
Setting Value
Zone rpz.example.com
Action Walled Garden
Walled Garden sorry.example.com
TMSH
tmsh modify ltm dns cache resolver validating-resolver_cache response-policy-zones add {
rpz.example.com { action walled-garden walled-garden sorry.example.com } }
81
2.6.6 Results
Try running additional dig commands to verify that other domains still resolve as expected.
dig www.f5.com
Configure DNS queries filtering based on the category of the requested domain. This will be done with
using F5 iRules and built-in categorization database.
82
2.7.1 Create an iRule
83
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/rule/list.jsp
Create new iRule, copy the content below and paste it.
Setting Value
Name DNS-query-filtering
when RULE_INIT {
# Set categories to block for DNS hosts
set static::blocked_categories {
/Common/Bot_Networks
/Common/Spyware
/Common/Malicious_Web_Sites
/Common/Adult_Content
/Common/Sex
}
# CONFIGURATION
# Check all requests by default
set static::request_check 1
# If the category returns as blocked, return NXDOMAIN (1)
# Otherwise if (0), return a statically defined IP address
set static::request_return_nxdomain 0
set static::request_redirect_to "10.1.71.21"
84
# Toggle for debug logs
set static::request_debug 1
}
when DNS_REQUEST {
if { $static::request_check } {
set lookup_category [getfield [CATEGORY::lookup "http://[DNS::question name]"] "
˓→" 1]
}
DNS::answer clear
if { $static::request_return_nxdomain } {
DNS::header opcode QUERY
DNS::header rcode NXDOMAIN
} else {
if { [DNS::question type] equals "A" } {
DNS::answer insert "[DNS::question name]. 111 [DNS::question class]
˓→[DNS::question type] $static::request_redirect_to"
}
}
DNS::return
} else {
if { $static::request_debug } {
log local0. "Category $lookup_category matching [DNS::question name] is not
˓→filtered"
}
}
}
}
TMSH commands for router01.branch01 (Make sure you use text editor to copy content above and paste it)
TMSH
tmsh create ltm rule DNS-query-filtering
85
Navigate to the listener DC01_udp_virtual
86
Navigate to Manage
https://router01.branch01.example.com/tmui/Control/form?__handler=/tmui/dns/listener/irules&__source=Manage. . . &__link
Highlight DNS-query-filtering iRule and move it to Selected column
87
TMSH commands for router01.branch01
TMSH
tmsh modify gtm listener all rules { DNS-query-filtering }
2.7.3 Results
88
From the Workstation command prompt run “dig porno.com” and check for the results
89
Navigate to: DNS ›› Delivery : iRules : iRules List
90
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/rule/list.jsp
Click on the DNS-query-filtering iRule and add new filtering category “News_and_Media”
91
From the Workstation command prompt run “dig cnn.com” and check for the results
92
93
94
3
Credits
• Agility 2017:
Bill Wester
Boris Gekhtman
Brendan Gladney
Brian Buback
Emilio Torres
Dave Doucette
Josh Anderson
Robin Mordasiewicz
• Advisors:
Hitesh Patel
Joe Hermes
Jonathan Dehaan
Pat Chang
Pat Fiorino
Brian Van Lieu
95